1 |
On Friday 19 Feb 2016 16:23:22 Daniel Quinn wrote: |
2 |
> The problem is that the names of the fields on iThings are different |
3 |
> from the fields I see in NetworkManager, so I don’t know what correlates |
4 |
> to what. |
5 |
> |
6 |
> I have just uninstalled libreswan and installed strongswan, but I can’t |
7 |
> find evidence of a networkmanager plugin for strongswan in Portage. |eix |
8 |
> stronswan| only returns one record: |net-misc/strongswan|, which is |
9 |
> installed. Can I use it without NetworkManager while using |
10 |
> NetworkManager for basic connectivity? |
11 |
|
12 |
I don't know for sure because I don't use NM. The strongswan plugin is called |
13 |
... "networkmanager" and you install this with the flag USE="networkmanager", |
14 |
which I assume is already set in your system. |
15 |
|
16 |
|
17 |
> Here’s the .mobileconfig file, with the juicy-bits redacted: |
18 |
> |<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC |
19 |
> |
20 |
> "-//Apple//DTD PLIST 1.0//EN" |
21 |
> "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <!-- Read more: |
22 |
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile |
23 |
> --> <plist version="1.0"> <dict> <!-- Set the name to whatever you like, |
24 |
> it is used in the profile list on the device --> |
25 |
> <key>PayloadDisplayName</key> <string>My IKEv2 VPN Profile</string> |
26 |
|
27 |
"My IKEv2 VPN Profile" |
28 |
|
29 |
is used as the name of these VPN settings. In strongswan's /etc/ipsec.conf |
30 |
you would set it as: |
31 |
|
32 |
conn "My IKEv2 VPN Profile" |
33 |
|
34 |
|
35 |
> <!-- |
36 |
> This is a reverse-DNS style unique identifier used to detect duplicate |
37 |
> profiles --> <key>PayloadIdentifier</key> <string>REDACTED</string> |
38 |
|
39 |
This would be the domain name of the server, or relevant domain name which |
40 |
will be queried on a reverse-DNS resolution to match the remote IP address to |
41 |
domain name. Not sure if this is needed by strongswan. |
42 |
|
43 |
|
44 |
> <!-- |
45 |
> A globally unique identifier, use uuidgen on Linux/Mac OS X to generate |
46 |
> it --> <key>PayloadUUID</key> <string>REDACTED</string> |
47 |
> <key>PayloadType</key> <string>Configuration</string> |
48 |
> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key> |
49 |
> <array> <!-- It is possible to add multiple VPN payloads with different |
50 |
> identifiers/UUIDs and names --> <dict> <!-- This is an extension of the |
51 |
> identifier given above --> <key>PayloadIdentifier</key> |
52 |
> <string>REDACTED</string> <!-- A globally unique identifier for this |
53 |
> payload --> <key>PayloadUUID</key> <string>REDACTED</string> |
54 |
> <key>PayloadType</key> <string>com.apple.vpn.managed</string> |
55 |
> <key>PayloadVersion</key> <integer>1</integer> <!-- This is the name of |
56 |
> the VPN connection as seen in the VPN application later --> |
57 |
> <key>UserDefinedName</key> <string>My IKEv2 VPN</string> |
58 |
> <key>VPNType</key> <string>IKEv2</string> <key>IKEv2</key> |
59 |
|
60 |
This tells you that you should configure IKEv2 in strongswan/NM. IKEv2 is the |
61 |
default, or you can set: |
62 |
|
63 |
keyexchange=ike ##will initate a connection as IKEv2 but will accept both |
64 |
IKEv1 and IKEv2 as a response. If you only want IKEv2 use: |
65 |
|
66 |
keyexchange=ikev2 |
67 |
|
68 |
|
69 |
> <dict> <!-- |
70 |
> Hostname or IP address of the VPN server --> <key>RemoteAddress</key> |
71 |
> <string>REDACTED</string> |
72 |
|
73 |
The above is the IP address of the Ubuntu VPN gateway. In strongswan terms |
74 |
you would set it as: |
75 |
|
76 |
right=123.456.78.9 ##Replace the digits with the Ubuntu public IP address |
77 |
|
78 |
|
79 |
> <!-- Remote identity, can be a FQDN, a |
80 |
> userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be |
81 |
> empty. IMPORTANT: DNs are currently not handled correctly, they are |
82 |
> always sent as identities of type FQDN --> <key>RemoteIdentifier</key> |
83 |
> <string>REDACTED</string> |
84 |
|
85 |
FQDN used as the VPN gateway identifier. In strongswan: |
86 |
|
87 |
rightid=REDACTED ##use here the RemoteIdentifier above. |
88 |
|
89 |
|
90 |
> <!-- Local IKE identity, same restrictions as |
91 |
> above. If it is empty the client's IP address will be used --> |
92 |
> <key>LocalIdentifier</key> <string></string> <!-- OnDemand references: |
93 |
> http://www.v2ex.com/t/137653 |
94 |
|
95 |
If there is no LocalIdentifier provided in the .mobileconfig, then it will use |
96 |
the IP address of the client. Set it as: |
97 |
|
98 |
left=%defaultroute |
99 |
|
100 |
|
101 |
> https://developer.apple.com/library/mac/featuredarticles/iPhoneConfiguration |
102 |
> ProfileRef/Introduction/Introduction.html Continue reading: |
103 |
> https://github.com/iphoting/ovpnmcgen.rb --> |
104 |
> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key> |
105 |
> <array> <dict> <key>Action</key> <string>Connect</string> </dict> |
106 |
> </array> <!-- The server is authenticated using a certificate --> |
107 |
> <key>AuthenticationMethod</key> <string>SharedSecret</string> |
108 |
> <key>SharedSecret</key> <string>REDACTED</string> |
109 |
|
110 |
authby=psk |
111 |
|
112 |
The value of the secret passphrase you will need to add in /etc/ipsec.secrets: |
113 |
|
114 |
<your_client_ID_goes_here> 123.456.78.9 : PSK "xY9LLZvwj4qCC2o/gGrWD" |
115 |
|
116 |
|
117 |
> <!-- Turn off EAP --> |
118 |
> <key>ExtendedAuthEnabled</key> <integer>0</integer> <!-- AuthName key is |
119 |
> required to dismiss the Enter Username screen on iOS 9, even if |
120 |
> ExtendedAuthEnabled is false --> <key>AuthName</key> <string></string> |
121 |
> <!-- AuthPassword key is required to dismiss the Enter Password screen |
122 |
> on iOS 9, even if ExtendedAuthEnabled is false --> |
123 |
> <key>AuthPassword</key> <string></string> </dict> </dict> </array> |
124 |
> </dict> </plist> | |
125 |
|
126 |
I can't tell from the above if the server has XAUTH configured. If it does |
127 |
then you need to add this in your /etc/ipsec.secrets file: |
128 |
|
129 |
Daniel : XAUTH "Daniel's account passwd" |
130 |
|
131 |
I also can't see above any ciphers set by the server, so I guess all that have |
132 |
been compiled in the client's OS kernel will be tried out in turn. |
133 |
|
134 |
The strongswan documentation and ipsec.conf man page has the rest you will |
135 |
need to configure your client. Keep an eye in the logs for errors so that you |
136 |
can find out what settings you should experiment with and if you got the |
137 |
syntax correct. |
138 |
|
139 |
-- |
140 |
Regards, |
141 |
Mick |